We have a re-ocurring issue with Meraki Mx100 appliances in 2 different data centers. It is related the the AnyConnect VPN log with SAML authentication enabled. It's happened twice for each. We have performed numerous packet captures and evaluated logs. It always resolves on it's own after a few days. Meraki support finally gave us a backend log that pointed us in the right direction.
The error was that the request expired due to the before and after SAML response fields. I was able to validate the the time stamp in the Meraki event log we have access to and matched the Idp (Identity Provider) timestamp and was also inside the SAML expiration window, which is 1 minute. The meraki tech claimed it was off by 5 minutes. The backend SAML log we don't have access to has a timestamp 5 minutes off from the Meraki event log we can see. The tech agreed this was odd.
It's as if the backend timesync for the Meraki is not using same time source as the local Meraki web event log. How can this be? It seems neither of these time syncs are controllable by use.
